{
	"id": "864e049e-4eb3-49a7-a84a-c88e9b257f01",
	"created_at": "2026-04-06T00:22:27.651866Z",
	"updated_at": "2026-04-10T03:34:18.790024Z",
	"deleted_at": null,
	"sha1_hash": "a7688ce660408287636ca848fad20e2bf53bb969",
	"title": "DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 359905,
	"plain_text": "DEV-0832 (Vice Society) opportunistic ransomware campaigns\r\nimpacting US education sector | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-10-25 · Archived: 2026-04-05 17:04:00 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. DEV-0832 is now tracked as Vanilla Tempest.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nIn recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global\r\neducation sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society.\r\nShifting ransomware payloads over time from BlackCat, QuantumLocker, and Zeppelin, DEV-0832’s latest\r\npayload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and,\r\nmost recently, .locked. In several cases, Microsoft assesses that the group did not deploy ransomware and instead\r\npossibly performed extortion using only exfiltrated stolen data.\r\nDEV-0832 is a cybercriminal group that has reportedly been active as early as June 2021. While the latest attacks\r\nbetween July and October 2022 have heavily impacted the education sector, DEV-0832’s previous opportunistic\r\nattacks have affected various industries like local government and retail. Microsoft assesses that the group is\r\nfinancially motivated and continues to focus on organizations where there are weaker security controls and a\r\nhigher likelihood of compromise and ransom payout. Before deploying ransomware, DEV-0832 relies on tactics,\r\ntechniques, and procedures commonly used among other ransomware actors, including the use of PowerShell\r\nscripts, repurposed legitimate tools, exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors like SystemBC.\r\nRansomware has evolved into a complex threat that’s human-operated, adaptive, and focused on a wider scale,\r\nusing data extortion as a monetization strategy to become even more impactful in recent years. To find easy entry\r\nand privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene\r\nand legacy configurations or misconfigurations. Defenders can build a robust defense against ransomware by\r\nreading our ransomware as a service blog.\r\nIn this blog, we detail Microsoft’s analysis of observed DEV-0832 activity, including the tactics and techniques\r\nused across the group’s campaigns, with the goal of helping customers identify, investigate, and remediate activity\r\nin their environments. We provide hunting queries to help customers comprehensively search their environments\r\nfor relevant indicators as well as protection and hardening guidance to help organizations increase resilience\r\nagainst these and similar attacks.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\r\nPage 1 of 8\n\nWho is DEV-0832 (Vice Society)?\r\nMicrosoft has identified multiple campaigns attributed to DEV-0832 over the past year based on the use of a\r\nunique PowerShell file name, staging directories, and ransom payloads and their accompanying notes. To gain an\r\ninitial foothold in compromised networks, DEV-0832 has reportedly exploited vulnerable web-facing applications\r\nand used valid accounts. However, due to limited initial signals from affected organizations, Microsoft has not\r\nconfirmed these attack vectors. Attackers then use custom PowerShell scripts, commodity tools, exploits for\r\ndisclosed vulnerabilities, and native Windows binaries to gather privileged credentials, move laterally, collect and\r\nexfiltrate data, and deploy ransomware.\r\nAfter deploying ransomware, DEV-0832 demands a ransom payment, threatening to leak stolen data on the\r\ngroup’s [.]onion site. In some cases, Microsoft observed that DEV-0832 did not deploy ransomware. Instead, the\r\nactors appeared to exfiltrate data and dwell within compromised networks. The group sometimes avoids a\r\nransomware payload in favor of simple extortion—threatening to release stolen data unless a payment is made.\r\nThe group also goes to significant measures to ensure that an organization cannot recover from the attack without\r\npaying the ransom: Microsoft has observed DEV-0832 access two domain administrator accounts and reset user\r\npasswords of over 150,000 users, essentially locking out legitimate users before deploying ransomware to some\r\ndevices. This effectively interrupts remediation efforts, including attempts to prevent the ransomware payload or\r\npost-compromise incident response.\r\nToolset\r\nRansomware payloads\r\nMicrosoft has observed DEV-0832 deploy multiple commodity ransomware variants over the past year: BlackCat,\r\nQuantumLocker, Zeppelin, and most recently a Vice Society-branded variant of the Zeppelin ransomware. While\r\nmany ransomware groups have shifted away from branded file extensions in favor of randomly generated ones,\r\nDEV-0832 incorporated branding with their Vice Society variant using .v-s0ciety or .v-society file extensions.\r\nMost recently in late September 2022, DEV-0832 again modified their ransomware payload to a variant dubbed\r\nRedAlert, using a .locked file extension.\r\nIn one July 2022 intrusion, Microsoft security researchers identified DEV-0832 attempt to deploy QuantumLocker\r\nbinaries, then within five hours, attempt to deploy suspected Zeppelin ransomware binaries. Such an incident\r\nmight suggest that DEV-0832 maintains multiple ransomware payloads and switches depending on target defenses\r\nor, alternatively, that dispersed operators working under the DEV-0832 umbrella might maintain their own\r\npreferred ransomware payloads for distribution. The shift from a ransomware as a service (RaaS) offering\r\n(BlackCat) to a purchased wholly-owned malware offering (Zeppelin) and a custom Vice Society variant indicates\r\nDEV-0832 has active ties in the cybercriminal economy and has been testing ransomware payload efficacy or\r\npost-ransomware extortion opportunities.\r\nIn many intrusions, DEV-0832 stages their ransomware payloads in a hidden share on a Windows system, for\r\nexample accessed via a share name containing “$”. Once DEV-0832 has exfiltrated data, they then distribute the\r\nransomware onto local devices for launching, likely using group policy, as shown in the below command:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\r\nPage 2 of 8\n\nFigure 1. Group policy to distribute ransomware onto local devices\r\nThe group also has cross-platform capabilities: Microsoft identified the deployment of a Vice Society Linux\r\nEncryptor on a Linux ESXi server.\r\nPowerShell scripts\r\nDEV-0832 uses a PowerShell script to conduct a variety of malicious activities and make system-related changes\r\nwithin compromised networks. Like their ransomware payloads, DEV-0832 typically stages their PowerShell\r\nscripts on a domain controller.\r\nMicrosoft security researchers have observed several variations among identified DEV-0832 PowerShell scripts,\r\nindicating ongoing refinement and development over time—while some only perform system discovery\r\ncommands, other scripts are further modified to perform persistence, defense evasion, data exfiltration, and even\r\ndistribute the ransomware payloads.\r\nCommodity tools\r\nAccording to Microsoft investigations, DEV-0832 has used two commodity backdoors in ransomware attacks:\r\nSystemBC and PortStarter.\r\nSystemBC is a post-compromise commodity remote access trojan (RAT) and proxy tool that has been incorporated\r\ninto multiple diverse ransomware attacks. In one DEV-0832 intrusion, the attacker used both a compromised\r\ndomain admin user account and a compromised contractor account to launch a PowerShell command that\r\nlaunched a SystemBC session under the value name “socks”:\r\nFigure 2. Powershell command launching a SystemBC session named ‘socks’\r\nPortStarter is a backdoor written in Go. According to Microsoft analysis, this malware provides functionality such\r\nas modifying firewall settings and opening ports to connect to pre-configured command-and-control (C2) servers.\r\nDEV-0832 has also deployed ransomware payloads using the remote launching tool Power Admin. Power Admin\r\nis a legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing.\r\nIf an organization has enabled Console Security settings within Power Admin, an attacker must have credentials to\r\nmake authorized changes.\r\nOther commodity tools identified in DEV-0832 attacks include Advanced Port Scanner and Advanced IP Scanner\r\nfor network discovery.\r\nAbuse of legitimate tooling\r\nLike many other ransomware actors, DEV-0832 relies on misusing legitimate system tools to reduce the need to\r\nlaunch malware or malicious scripts that automated security solutions might detect. Observed tools include:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\r\nPage 3 of 8\n\nUse of the Windows Management Instrumentation Command-line (WMIC) to launch commands that\r\ndelete Mongo databases, other backups, and security programs.\r\nUse of Impacket’s WMIexec functionality, an open-source tool to launch commands via WMI, and\r\nImpacket atexec.py, which launches commands using Task Scheduler.\r\nUse of the vssadmin command to delete shadow copy backups on Windows Server.\r\nUse of PsExec to remotely launch PowerShell, batch scripts, and deploy ransomware payloads\r\nAdditionally, in one identified intrusion, DEV-0832 attempted to turn off Microsoft Defender Antivirus using\r\nregistry commands. Enabling Microsoft Defender Antivirus tamper protection helps block this type of activity.\r\nFigure 3. Registry commands that attempt to tamper with Microsoft Defender antivirus software\r\nHarvesting privileged credentials for ransomware deployment\r\nLike other ransomware groups, after gaining an initial foothold within a network, DEV-0832 moves quickly to\r\ngather valid administrator local or domain credentials to ensure they can distribute ransomware payloads\r\nthroughout the network for maximum impact.\r\nCredential dumps\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\r\nPage 4 of 8\n\nWhile Microsoft has not identified all the credential access techniques of DEV-0832, in many instances DEV-0832\r\naccesses Local Security Authority Server Service (LSASS) dumps to obtain valid account credentials that were\r\npresent in memory. Microsoft also observed that, instead of using a tool like Mimikatz to access a credential\r\ndump, DEV-0832 typically abuses the tool comsvcs.dll along with MiniDump to dump the LSASS process\r\nmemory. Other ransomware actors have been observed using the same technique.\r\nIn cases where DEV-0832 obtained domain-level administrator accounts, they accessed NTDS dumps for later\r\ncracking. The following command shows the attacker exfiltrating the NTDS.dit file, which stores Active Directory\r\ndata to an actor-created directory:\r\nFigure 4. Example of attacker command to exfiltrate the ‘NTDS.dit’ file\r\nKerberoast\r\nMicrosoft has also identified DEV-0832 used the malicious PowerSploit module Invoke-Kerberoast to perform a\r\nKerberoast attack, which is a post-exploitation technique used to obtain credentials for a service account from\r\nActive Directory Domain Services (AD DS). The Invoke-Kerberoast module requests encrypted service tickets\r\nand returns them in an attacker-specified output format compatible with cracking tools. The group can use the\r\ncracked Kerberos hashes to reveal passwords for service accounts, often providing access to an account that has\r\nthe equivalent of domain admin privileges. Furthermore, one Kerberos service ticket can have many associated\r\nservice principal names (SPNs); successful Kerberoasting can then grant an attacker access to the SPNs’\r\nassociated service or user accounts, such as obtaining ticket granting service (TGS) tickets for Active Directory\r\nSPNs that would allow an attacker to do offline password cracking.\r\nCombined with the fact that service account passwords are not usually set to expire and typically remain\r\nunchanged for a great length of time, attackers like DEV-0832 continue to rely on Kerberoasting in compromised\r\nnetworks. Microsoft 365 Defender blocks this attack with Antimalware Scan Interface (AMSI) and machine\r\nlearning. Monitor for alerts that reference Kerberoast attacks closely as the presence of these alerts typically\r\nindicates a human adversary in your environment.\r\nAccount creation\r\nIn one suspected DEV-0832 intrusion, Microsoft observed an operator create accounts that, based on the naming\r\nconvention, were designed to blend in as admin accounts and allow persistence without malware, as shown in the\r\nfollowing command:\r\nFigure 5. Attacker command to create accounts\r\nMonitoring newly created accounts can help identify this type of suspicious activity that does not rely on\r\nlaunching malware for persistence in the environment.\r\nExploitation of privilege escalation vulnerabilities\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\r\nPage 5 of 8\n\nIn August 2022, Microsoft security researchers identified one file during a DEV-0832 intrusion indicating that the\r\ngroup has incorporated an exploit for the disclosed, patched security flaw CVE-2022-24521 (Windows Common\r\nLog File System (CLFS) logical-error vulnerability). Microsoft released a patch in April 2022. The DEV-0832 file\r\nspawns a new cmd.exe process with system privileges.\r\nAccording to public reporting, DEV-0832 has also incorporated exploits for the PrintNightmare vulnerability to\r\nescalate privileges in a domain. Combined with the CVE-2022-24521 exploit code, it is likely that DEV-0832, like\r\nmany other adversaries, quickly incorporates available exploit code for disclosed vulnerabilities into their toolset\r\nto target unpatched systems.\r\nLateral movement with valid accounts\r\nAfter gaining credentials, DEV-0832 frequently moves laterally within a network using Remote Desktop Protocol\r\n(RDP). And as previously mentioned, DEV-0832 has also used valid credentials to interact with remote network\r\nshares over Server Message Block (SMB) where they stage ransomware payloads and PowerShell scripts.\r\nData exfiltration\r\nIn one known intrusion, DEV-0832 operators exfiltrated hundreds of gigabytes of data by launching their\r\nPowerShell script, which was staged on a network share. The script contained hardcoded attacker-owned IP\r\naddresses and searched for wide-ranging, non-targeted keywords ranging from financial documents to medical\r\ninformation, while excluding files containing keywords such as varied antivirus product names or file artifact\r\nextensions. Given the wide range of keywords included in the script, it is unlikely that DEV-0832 regularly\r\ncustomizes it for each target.\r\nMicrosoft suspects that DEV-0832 uses legitimate tools Rclone and MegaSync for data exfiltration as well; many\r\nransomware actors leverage these tools, which provide capabilities to upload files to cloud storage. DEV-0832\r\nalso uses file compression tools to collect data from compromised devices.\r\nMitigations\r\nApply these mitigations to reduce the impact of this threat:\r\nUse device discovery to increase your visibility into your network by finding unmanaged devices on your\r\nnetwork and onboarding them to Microsoft Defender for Endpoint.\r\nUse Microsoft Defender Vulnerability Management to assess your current status and deploy any updates\r\nthat might have been missed.\r\nUtilize Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent\r\nRPC and SMB communication among endpoints whenever possible. This limits lateral movement as well\r\nas other attack activities.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a huge majority of new and unknown variants.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\r\nPage 6 of 8\n\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nblock malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nremediate malicious artifacts that are detected post-breach.\r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to\r\ntake immediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nLSA protection is enabled by default on new Windows 11 devices, hardening the platform against\r\ncredential dumping techniques. LSA PPL protection will further restrict access to memory dumps making it\r\nhard to obtain credentials.\r\nRefer to Microsoft’s blog Ransomware as a service: Understanding the cybercrime gig economy and how\r\nto protect yourself for recommendations on building strong credential hygiene and other robust measures to\r\ndefend against ransomware.\r\nMicrosoft customers can turn on attack surface reduction rules to prevent several of the infection vectors of this\r\nthreat. These rules, which can be configured by any administrator, offer significant hardening against ransomware\r\nattacks. In observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the\r\nattack in the initial stages and prevented hands-on-keyboard activity:\r\nBlock process creations originating from PsExec and WMI commands\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nUse advanced protection against ransomware\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nDetection details\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects DEV-0832’s Vice Society-branded Zeppelin variant as the following\r\nmalware:\r\nRansom:Win32/VSocCrypt\r\nTrojan:PowerShell/VSocCrypt\r\nRansom:Linux/ViceSociety\r\nOther commodity ransomware variants previously leveraged by DEV-0832 are detected as:\r\nBehavior:Win32/Ransomware!Quantum.A\r\nBehavior:Win32/Quantum.AA\r\nRansom:Win32/Zeppelin\r\nRansom:Win32/Blackcat\r\nSystemBC and PortStarter are detected as:\r\nBehavior:Win32/SystemBC\r\nTrojan:Win32/SystemBC\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\r\nPage 7 of 8\n\nBackdoor:Win64/PortStarter\r\nSome pre-ransomware intrusion activity used in multiple campaigns by various activity groups can be detected\r\ngenerically. During identified DEV-0832 activity, associated command line activity was detected with generic\r\ndetections, including:\r\nBehavior:Win32/OfficeInjectingProc.A\r\nBehavior:Win32/PsexecRemote.E\r\nBehavior:Win32/SuspRemoteCopy.B\r\nBehavior:Win32/PSCodeInjector.A\r\nBehavior:Win32/REnamedPowerShell.A\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts can indicate threat activity on your network:\r\nDEV-0832 activity group\r\n‘VSocCrypt’ ransomware was prevented\r\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity.\r\nUse of living-off-the-land binary to run malicious code\r\nPotential SystemBC execution via Windows Task Scheduler\r\nSuspicious sequence of exploration activities\r\nProcess memory dump\r\nSuspicious behavior by cmd.exe was observed\r\nSuspicious remote activity\r\nSuspicious access to LSASS service\r\nSuspicious credential dump from NTDS.dit\r\nFile backups were deleted\r\nSystem recovery setting tampering\r\nSource: https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us\r\n-education-sector/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/"
	],
	"report_names": [
		"dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434947,
	"ts_updated_at": 1775792058,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7688ce660408287636ca848fad20e2bf53bb969.pdf",
		"text": "https://archive.orkl.eu/a7688ce660408287636ca848fad20e2bf53bb969.txt",
		"img": "https://archive.orkl.eu/a7688ce660408287636ca848fad20e2bf53bb969.jpg"
	}
}